System for internal audit and internal control management and related methods

ABSTRACT

A computerized system and related computer operations manage internal audit and internal controls, especially for corporations and other business entities with regulatory reporting requirements, such as the Sarbanes-Oxley (“SOX”) Act. Computer operations and associated user access to such operations are facilitated by integration of the multiple environments typically associated with internal audit and internal control management, such as the development environment, the run-time environment, and the management environment. The system employs a micro service architecture and distributed memory, and makes use of metadata and pipelined linkages for the data and associated controls under management, which features increase various system operation efficiencies and increase ease of operations by audit group and associated personnel, such as by permitting examination of data and evidence of audits and controls at multiple levels of detail from visually perceptible user interfaces, generally from a single displayed screen thereof. Mapping and scheduling subsystems have been programmed so that heterogeneous data sources may be accessed through a single user interface. Control mapping may be written initially and then reused as controls and data evolves, without substantial rewrite, by virtue of programming agnostic to scripting languages and data formatting.

FIELD

This disclosure relates to computer-based systems, and in particular, tocomputer-based systems for internal audit and internal controlmanagement. A portion of the disclosure of this patent document containsmaterial which is subject to copyright protection. The copyright ownerhas no objection to the facsimile reproduction by anyone of the patentdocument or the patent disclosure, as it appears in the Patent andTrademark Office patent file or records, but otherwise reserves allcopyright rights whatsoever.

BACKGROUND

Corporations, companies, and other business entities are often subjectto a variety of regulations, such as the Sarbanes-Oxley (“SOX”) Act.Such regulations often include provisions which relate to internalcontrols of operations of such corporate entities, and requiringappropriate management, assessment, and other compliance activities.Separate and apart from regulatory requirements, business efficienciesmay likewise dictate internal business and financial processes,reporting requirements, and other related internal business controlstructures, the management and auditing of any of the foregoing beingimportant elements of business operations and regulatory compliance.

In view of the foregoing, various computer-based systems for internalaudit and internal control management, including a management assessmentof internal controls under SOX Section 404, have been developed. Thesecomputer-based systems may suffer from various drawbacks anddisadvantages, and thus pose challenges for the audit team or auditgroup charged with responsibility for internal audit and internalcontrol management, whether internal or external to the business entity.For example, the disparate processes of a business and the need todefine, control, and audit such processes may result in auditinformation being disbursed in unrelated computer systems or formats.Such dispersion may likewise cause error and duplication in auditprocesses and thus increase compliance risk to the organization. Withregard to managing controls, if diverse computer programs are used fordifferent processes, the assembly and submission of compliance reportsor management assessment thereof will not have an integrative orefficient approach.

Furthermore, computer-based internal audit and internal controlmanagement software may not be scalable to dynamic or changing auditcontrol demands as the businesses grow and diversify.

If multiple vendors are involved in different aspects of the auditcontrol management processes, there is a possibility for proprietarycoding to interfere with efficient operation of the management software.

The monitoring of internal controls is often not sufficiently continuousto identify needed and alterations in the controls, resulting in areactive approach rather than a proactive approach.

SUMMARY

In one suitable implementation of the present disclosure, a computersystem for internal audit and internal control management makes use of aplatform having a development environment, a run-time environment, and amanagement environment. The system is capable of using not only aplurality of heterogeneous data sources, but storing such data sourcesin distributed databases, the stored data relating to auditableprocesses. Similarly, a plurality of repositories stores data associatedwith controls and rules that relate to management of audit controls. Thedifferent environments of the platform are associated withinterconnected computer subsystems having programming routinesassociated therewith. The subsystems may include a data on-boarder, aconnection adapter subsystem, a GRC forms subsystem, and a controldesigner. The system may improve its operations by making use of a dataintegration server. The management environment of the system may includesubsystems with programming for incident management, issue management,scheduling, monitoring, and security, and such subsystems may be readilyaccessible to any authorized users of the audit team, development team,or management.

A RESTful application programming interface may be associated withcertain implementations of the system hereunder, especially with thosesubsystems associated with the development environment. A plurality ofdashboards having user-selectable fields associated therewith maydisplay, in real time or near real time, key performance indicatorsassociated with the controls under management and associated tasks,batches, and other audit control management functions. One dashboard maybe in the form of a scoreboard which displays detailed records ofrespective key performance indicators in response to user selection ofan associated fields.

The data on-boarder, according to certain implementations, creates dataflow mappings corresponding to data source objects to be on-boarded. Itmay also edit data flow mappings which have been previously created bythe data on-boarder. In either case, data source objects may be draggedand dropped into logical workspaces accessible through the applicationprogramming interface, and predetermined connections may be associatedwith the dropped data source object. The data flow mappings may bedeveloped and subsequently validated using transformation objectsselected from the group consisting of Joiner, Filter, Lookup, Router,Cash, Expression, and JAVA/Scala/Python/R transformations.

The control designer subsystem performs mappings making use of featuresand data associated with the data on-boarder, but has programming todevelop and validate control mappings associated with dataflow mappingsor data source objects. One feature of the control designer is a controlmapper which has programming capable of, among other mapping functions,maintaining control logic associated with a control mapping irrespectiveof substitution of one of the data source objects for another datasource object.

In still further implementations, connection adapters and the associatedconnection adapter subsystem permits the system of this disclosure toaccess data sources which are heterogeneous, such as both relational andnon-relational data sources, ERP and non-ERP applications, and datasources formatted in different industry standards, any of the foregoingbeing amenable to the dragging and dropping into logical work spaces forcreation of data flow mappings or control mappings.

The scheduling subsystem permits selection and scheduling of multipleapplications, batches, and tasks, in real time. The scheduling subsystemlikewise permits continuous, intermittent, and one-time executions ofthe foregoing processes, any of the foregoing being accessible through asingle, user-perceptible display screen.

In still further implementations, data on-boarder and control designermake use of data flow mapping metadata and control mapping metadata, useof such metadata improving system operations.

Still further implementations include programming for improving systemoperations relating to the monitoring of controls in real time, such asthrough a single user-perceptible monitor user interface. Theprogramming may be operable to identify in real time a failure duringexecution of a control related task, generating corresponding incidentreports, and enabling a restart of the control related task at an auditcontrol point associated with the failure, as opposed to a re-start fromthe beginning of such control related task.

The foregoing system and subsystem components and related programmingmay be useful for performing associated methods of internal controlmanagement corresponding to the various functions described above withreference to the overall system.

BRIEF DESCRIPTION OF THE DRAWINGS

The disclosure herein will be more readily understood with reference tothe drawings, in which:

FIG. 1 is a context diagram of exemplary implementations of acomputerized system for internal audit and internal control management;

FIG. 2 is a high-level system architecture schematic of the variousimplementations of the computerized system of FIG. 1 ;

FIGS. 3 and 4 are schematic diagrams of further aspects of the systemsof FIGS. 1 and 2 , and showing system architecture for accomplishingcontinuous control monitoring;

FIG. 5 is a flowchart disclosing one exemplary series of computeroperations relating to continuous control monitoring and an associatedreal-time dashboard in the form of a scoreboard, the foregoingassociated with the various implementations shown schematically in FIGS.1-4 ;

FIG. 6 is a flowchart showing another exemplary series of computeroperations capable of being performed by associated programming of thesystem disclosed in FIGS. 1-4 herein, and related to management ofconnection adapters;

FIG. 7 is a flowchart showing another exemplary series of computeroperations performed by associated programming of the systems of FIGS.1-4 , related to the management of GRC forms;

FIG. 8 is a flowchart of certain computer operations, as well asassociated programming capable of performing such operations, andrelated to a data on-boarder system of the internal audit and internalcontrol management computerized system of FIGS. 1-4 ;

FIG. 9 is a flowchart showing various operations, as well as associatedprogramming capable of performing such operations, and associated with acontrol designer subsystem of the computerized systems of FIGS. 1-4 ;

FIG. 10 is a flowchart of computer operations, as well as programmingassociated therewith capable of performing such operations, and relatedto a scheduler subsystem of the computerized system of FIGS. 1-4 ;

FIG. 11 is a flowchart of certain computer operations, as well asassociated programming capable of performing such operations, andrelated to a monitoring subsystem associated with the system of theFIGS. 1-4 ;

FIG. 12 is a flowchart showing certain operations, as well as associatedprogramming capable of performing such computer operations, and relatedto an incident management subsystem of the systems of FIGS. 1-4 ;

FIG. 13 is a screenshot of one possible implementation of auser-perceptible dashboard according to the present disclosure,corresponding to real-time scoreboard operations shown in flowchart formin FIG. 5 ;

FIG. 14 is a screenshot of another possible implementation of adashboard and associated user-perceptible screen, displaying indicia ofmonitoring subsystem operations shown in flowchart form in FIG. 11 ;

FIG. 15 is a screenshot of an exemplary possible implementation of aconnections user interface according to this disclosure and associatedwith the connection adapter subsystem, one possible programmingflowchart of which is shown in FIG. 6 ;

FIG. 16 is a screenshot of an exemplary implementation of a dashboardand associated user-perceptible screen thereof, and associated with theincident management subsystem of this disclosure;

FIG. 17 is a screenshot of another possible implementation of adashboard and associated user-perceptible screen, and associated withthe scheduling subsystem operations shown in flowchart form of FIG. 10of this disclosure; and

FIGS. 18, 19, and 20 are screenshots of a user-perceptible graphicaluser interface in certain possible implementations of the controldesigner subsystem of the system herein, such designer subsystemassociated with operations set out in FIG. 9 hereto.

DETAILED DESCRIPTION

Referring now to the drawings, and in particular to FIGS. 1-4 , acomputerized system for internal audit and internal control management23, according to certain implementations of this disclosure, may bestructured as a platform 25 integrating both internal audit managementand internal control management, including related data on-boarding,control design, scheduling, and incident management, and other internalaudit management and control management functions. Platform 25 may haveprogramming subsystems or modules (used interchangeably herein) whoseprogramming may be logically divided into a number of differentenvironments corresponding to the functions performed by such subsystemsand modules and including, in certain implementations, a developmentenvironment 27, a run-time environment 29, and a management environment31.

System 23 has been structured and programmed to work with multiple datasources 33 stored in corresponding databases and having data related toany of the various auditable processes subject to assessment,management, and audit by system 23 of this disclosure. Similarly, system23 is able to be operated more efficiently to connect data sources, andto map or otherwise design controls and associated data flows, byaccessing multiple repositories 35, which repositories store records orother data associated with controls and rules related to controlmanagement and other operations of system 23. System 23 may beimplemented through multiple, interconnected computer subsystems whichare primarily associated with and executable in a corresponding one ofthe operating environments 27, 29, 31. Thus, in certain implementations,development environment 27 may have a first set of subsystems associatedtherewith, such as a data on-boarder 37, connection adapters 39, GRC(“governance, risk management, and compliance”) forms 31, and controldesigner 43, the programming and related functions of the foregoingbeing detailed subsequently in this disclosure.

Similarly, run-time environment 29 may be generally associated with asecond set of computer subsystems, including a data integration server45.

Still further, a third set of subsystems primarily associated withmanagement environment 31 may include subsystems comprised of incidentmanagement 47, issue management 49, scheduling 51, monitoring 53, andsecurity 55.

System 23 makes use of one or more RESTful application programminginterfaces (“API”) 57, especially ones having user-selectable fields forpurposes of operating subsystems in development environment 27, such asdata on-boarder 37, GRC forms 43, connection adapters 39, and controldesigner 41. Users associated with such RESTful API may comprise any ofthose in the audit group or audit team, but may especially be operatedby control or system developers, architects, and testers of the variousinternal audits and internal audit controls of system 23.

More generally, users, such as auditors, CEOs, COOs, process owners,data and line managers, or compliance officers, may have access todifferent environments or subsystems of system 23 depending on theaccess entitlement protocols for system 23 for different classes ofusers.

The subsystems associated with management environment 31 may generate aplurality of dashboards 59, displaying indicia corresponding to data inreal time, and having user-selectable fields and thus capable ofconnecting users of dashboards 59 to underlying data associated with theindicia by suitable user selection of corresponding user-selectablefields. For example, dashboards 59 may include a control monitoringscoreboard 61, a user-perceptible screen 63 of which is shown in FIG. 13. Suitable programming of monitoring subsystem 53 collects and displayskey performance indicators and associated indicia, in real time, suchkey performance indicators and associated indicia corresponding tocontrols field 65, related records scanned 67, tests performed 69, andassociated risk scores 71. Scoreboard 61 and programming associatedtherewith permits display of detail records of any of the foregoing keyperformance indicators in response to user selection of associateduser-selectable fields 73.

Referring now to FIG. 5 , suitable programming of monitoring subsystem53 is shown in flowchart form in relation to corresponding functionsperformed by such programming and its associated routines andsubroutines. Users may cause execution of suitable programming throughan internet browser to launch control monitoring scoreboard 61 (step501). Monitoring subsystem 53 executes instructions so as to makereal-time determinations of key performance indicators (503), makingcalls to relational database 505 as appropriate. Real-timedeterminations include controls executed, failed, data scanned, testsperformed, associated risk scores, and the foregoing may apply to thevarious requirements, processes, or sub-processes under audit or control(505). User selection of corresponding indicia may bring up stillfurther detailed information relating to the foregoing key performanceindicators (507). Monitoring subsystem 53 further permits simultaneousdisplay of detail records of selected key performance indicators (509)as well as simultaneous display of process detail records (511).

Programming and associated functions of data on-boarder subsystem 37 isshown with respect to certain implementations in FIG. 8 .

Users who have been authorized by suitable entitlement protocols ofsystem 23 to access data on-boarder subsystem 37 may include controldevelopers or other developers of system 23, testers of suchdevelopments, those developing mapping of either data sources orcontrols, and any other system analysts or system architects. Such usersmay cause execution of suitable programming, such as the exemplary dataon-boarder programming shown by flowchart 801. Data on-boarder subsystem37 may be launched (803), once suitable credentials of the user(s) havebeen verified, through a suitable application programming interface,such as one of the RESTful APIs 57. Suitable programming may be receivedfrom user input or activated in response to user selection ofcorresponding input fields, to create one or more data flow mappingscorresponding to one or more data source objects to be on-boarded. So,in one suitable implementation, suitable programming is executed toeither create a new data flow mapping, having a new mapping nameassociated therewith, in a corresponding tree view folder, or a user maycause execution of programming to edit an existing data flow mapping, byselecting its name (805) in a suitable database of data flow mappings(821). Selected data source objects are dragged and dropped into acorresponding logical workspace accessible from RESTful API 57 (step807).

Programming then enables selection of one or more predeterminedconnections for one or more corresponding selected dragged and droppeddata source objects. The connections may comprise one of a plurality ofconnections which may have been previously determined by connectionadapter subsystem 39 and stored in associated connection adapterrelational database 609 by suitable programming (step 810). In responseto the various data on-boarding operations being performed by the user,a source qualifier is generated along with a default select querycorresponding to one or more of the dropped data source objects (811);the foregoing processes may continue through successive iterationsrelated to different data source objects to be on-boarded until suchtime as one or more corresponding data flow mappings have beengenerated. Suitable processing steps for generating such data flowmapping involve the development and validation of the data flow mappingsusing different transformation objects, such as Joiner, Filter, Lookup,Router, Cache, expression, and any other suitable JAVA, Scala, Python,or R transformations (813). Upon validation of the data flow mappings,suitable programming (815), connects to target definitions and theresultant data flow mapping may be saved (817) in relational database821.

The saved or stored data flow mappings may be subject to still furtherprocessing by suitable programming subroutines of data on-boardersubsystem 37. Thus, for example, execution of the data flow mappings maybe performed in order to generate associated real-time statistics (829,831). If issues are found upon data flow mapping execution, alerts maybe generated, and such alerts may be saved during the generation orsaving of the mapping result (825, 827). Still further operations mayinvolve aligning of mapping objects (823) or the export of the developeddata flow mapping as PDF or other image, for purposes of furtherinternal audit and internal control management, again, with suitableprogramming and related subroutines of data on-boarder 37 being executedin response to user selection (823, 819).

Instructions and programming of data on-boarder 37 may likewise resultin successful execution of the created or edited data flow mapping(833), in which case the resulting data from such execution may eitherbe viewed through one of the restful APIs 57, or exported for furtherprocessing, such as in Excel or CSV formatting (835). In thisimplementation, the programming of data on-boarder 37 permits thevarious steps for creation of data flow mappings to be performed andexecuted in a manner which is agnostic to script language associatedwith the data source objects, thereby permitting heterogeneousformatting or scripting within a single set of programming subroutinesof data on-boarder 37. Similarly, target definitions connected to thedata flow mappings may occur in multiple scripting languages.

Further mapping operations related to those discussed for dataon-boarder subsystem 37 may be performed by means of control designersubsystem 43, the functions and associated programming of which arediscussed with reference to the exemplary flowchart of FIG. 9 , andassociated screenshots of user interfaces shown in FIGS. 18, 19, and 20.

One or more users, similar to those that may wish to access dataon-boarder 37, may access a suitable RESTful API and launch operationsand associated programming of control designer 43, such as by access toa suitable internet browser (903), and an exemplary series of operations901 may be performed, generally in response to user selections andinputs through the associated RESTful API 57 and internet browser thinclient. While certain programming and associated operations of controldesigner 43 are generally similar to corresponding operations of dataon-boarder 37, control designer 43 performs mapping relating to controlmapping.

In step 905, access to a GRC form database 721 is performed in responseto a user input to open an existing control mapping defined in one ofthe GRC forms of such database, such as in the tree view folder and inaccordance with its associated category. Alternatively, in response touser request, editing of an existing control mapping is performed. Thecontrol mapping selected or retrieved is checked out for purposes offurther operations by control designer 43, such as placing the selectedcontrol mapping into a logical workspace accessible through one of theRESTful APIs 57.

Operations of control designer 43 permit dragging and dropping of atleast one of the data source objects into the same logical workspace asthe control mapping, this dragging and dropping permitting operationswith relation to control mapping as opposed to data flow mapping (907).Access to connection adapter database 609 is performed in order toperform the related operations of selecting connections to the one ormore data source objects previously dragged and dropped in step 907, oneof the connections being selected from one of the various savedconnection adapters (step 912) of connection adapter database 609.Programming thereafter generates a source qualifier along with a defaultselect query associated with the data source object which has beendropped into the logical workspace in conjunction with the controlmapping being performed (steps 905, 906, and 907), and which operationsmay be repeated for one or more control names, control mappings, andassociated plurality of data source objects to be mapped into or inconjunction with control mappings being generated.

Control mapping proceeds by developing and validating the controlmapping (913) using different transformation objections like Joiner,Filter, control mapper, SQL control, control result sets, Lookup,Router, Cache, expression, and JAVA, Scala, Python, and Rtransformations. After validation of one or more control mappings, theyare connected to corresponding control result sets (915), and thecontrol mapping may thereafter be checked in so as to add suitablecomments (916). Suitable programming may be selected through user inputto execute the control mappings that have being generated in order togenerate a log associated with the controls thereof (929, 931).

Certain advantageous programming of control designer 43, when executed,displays, in real-time, indicia which correspond to the execution of thecontrol mappings. Still further, the programming is capable ofmaintaining control logic associated with the control mappingirrespective of substitution of one data source object for another. Inone suitable implementation, this functionality is accomplished by meansof a control mapper in the form of a bridge object, permitting the userto plug out or plug in data sources into the control mapping withoutchanging actual logic, and thus helping the user build such mapping onceand reuse it subsequently with other technical or data object changeswhich may occur, and without substantial rewrite.

The subroutines and other processing capabilities of control designer 43permit the user to write controls and associated control mapping inmultiple languages, with programming of control designer 43 generallypermitting executions of controls written in such diverse languageswithout requiring rewrite. Upon successful execution of the controls(step 933), suitable programming is capable of notifying users ofexecution results through multiple available channels associated withthe controls of system 23. Records associated with the controls areaccessible to such controls in real-time, that is, with insignificantdelay between the availability of such record at the source and theexecution of the associated controls for such record. Still furtheradvantageous programming permits for the deployment of mappings andcontrols developed by control designer 43, by readily exporting suchresults in any of a variety of user-selectable formats, such as Excel,CSV, PDF, or other image.

The programming associated with data on-boarder subsystem 37 and controldesigner subsystem 43, in certain implementations, may consistessentially of programming in a micro service architecture. Suchprogramming likewise may generate dataflow mapping metadata and controlmapping metadata, and storing such metadata in respective databases 75(FIG. 2 ). In response to user-selected operations through RESTful API57 associated with data on-boarder 37 and control designer 43, metadatamay be accessed from databases 75, and suitable programming generatesengine definitions associated with data mapping and control mapping,respectively (such engines referenced at 77 in FIG. 2 ). The metadataand associated engine definition may be further processed during thevarious functions of system 23 through data integration server 45, suchoperations facilitated by dynamic cache 79, which is operativelyconnected to repository 81 audit control result set 83, respectively.

The foregoing distributed memory architecture results in minimizing loadon data sources connected to data on-boarder 37. Similarly, other tasksof data on-boarder 37, and especially those of control designer 43,including cleansing and transforming on-boarded data may generally beprocessed substantially more quickly than such tasks were performed onstandard relational database management systems, because system 23includes the repositories 35, 81, metadata 75, engines 77, dynamiccaches 79, and integration server(s) 45 disclosed herein. Processingspeeds with the disclosed architecture may occur at least fifty timesfaster for data on-boarding and control design using the architectureand associated programming of FIG. 2 disclosed herein. Computerprogramming associated with data on-boarder 37 improves system 23operability by configuring data source objects into logical columns inassociated data flow mappings and data records associated with the datasource objects may be accessed through the logical columns, therebyestablishing pipelined linkages between such columns, and at anyrespective points on the associated data flow mapping.

Connection adapters 39 may be developed, configured, and validated byexemplary programming, operation of which is shown in FIG. 6 and userselection of which may be accomplished through a single,user-perceptible display screen shown in FIG. 15 . In response to userselection through the connections interface of FIG. 15 , programmingaccesses data sources 33 to configure or revise and revalidateconnection adapters (step 603) after launch of the connection adaptersubsystem 39, such as through a suitable internet browser (601). As seenin FIG. 2 , data sources 33 may include both relational andnon-relational data sources, data related to ERP applications, datarelated to non-ERP applications, and data formatted in conformance witha plurality of industry standards. Suitable programming may testconnection adapters (605) and save connection details (607) inassociated connection adapter database 609 along with an associatedconnection record (611). Such created, edited, configured, or validatedconnection adapters are accessible by associated operations of dataon-boarder 37 shown in FIG. 8 (step 810, FIGS. 6 and 8 ).

The exemplary programming operations of control designer of system 43shown in FIG. 9 are further illustrated with respect to the associateduser-perceptible screen of the control designer interface 89 shown inFIGS. 18-20 . Thus, for example, operations associated with computerprogramming steps 904, 905, 906, 907, 910, and 912 are associated withuser-selectable and/or user-perceptible fields shown in the screenshotsof interface 89. Control names 91 are user-selectable on a left sidescrollable menu and associated control mapping 93 is visible in a windowin the upper right corner. The associated logical workspace 95 containsdata objects which have been dragged and dropped therein.

FIG. 18 shows user selection of a control result control name, which hasbeen expanded to include details thereof at 97 (with the unselected formof control result shown in FIG. 19 in a corresponding location on theright side of the screen). Referring to FIG. 19 , data objects may beselected from a suitable data resources menu 99 and used to edit orperform other operations related to the control mapping 93 in logicalworkspace 95. The control labeled “JAVA control” 101 is likewiseselectable in FIG. 18 to reveal its contents in FIG. 19 as 101′. Thepower and improved usability of the interface associated with controldesigner 43 is further illustrated by the fact that the expanded JAVAcontrol 101′ may be further selected to reveal still further programmingdetails associated with the items comprising JAVA control, asillustrated by the further expansion shown at FIG. 20 appearing as awindow 101″.

Control designer subsystem 43 is linked by suitable programming to GRCforms subsystem 41. In particular, control names operated on by controldesigner 43 are defined in and by operations of GRC forms subsystem 41,exemplary operations of such GRC forms subsystem 41 being shown anddescribed with reference to FIG. 7 . In the illustrated implementation,the GRC forms user interface is launched, such as through a thin client(701), data corresponding to various controls and rules may be selectedwith access from the corresponding controls and rules repositories 35(FIG. 2 ), in order to structure discrete ones of the rules into acorresponding entry into a GRC form. Entries into the GRC forms mayrelate to functions, processes, risks, controls, and associated rules,any and all the foregoing being configured as part of the operation ofthe GRC forms subsystem (703). After such configuration of GRC forms,the form entries are validated (705), and upon successful validation, anew or updated one of the connection adapters for use by connectionadapter subsystem 39 is stored in database 721 (step 709). GRC forms arelikewise linked to associated rules of rules repository 35 (FIG. 2 )(step 711).

Referring now to FIG. 10 , exemplary operations of scheduling subsystem51 are shown, along with associated computer programming. The schedulingsubsystem 51 may be launched through a thin client, such as an internetbrowser (1001), one example of the associated interface being shown inFIG. 17 . Applications, batches, and tasks may be selected through theuser-perceptible display screen as shown in FIG. 17 (step 103, FIG. 10 )and the associated actions, which have been scheduled, may be configuredand validated in relation to data mappings and control mappings (1005).Such computerized configuration and validation occur by selective accessto metadata or other data stored in databases associated with dataon-boarder 37 and control designer 43, respectively (steps 837 and 920(FIG. 10 )). The resulting scheduling configuration is thereafter saved(1007) to in an associated relational database 1009. Results ofscheduling may be displayed and updated, such as in real time, in theuser interface shown in FIG. 17 . The schedule configuration stored inrelational database 1009 is selectively accessed by monitoring andincident management subsystems 53, 47 (step 1011).

Monitoring subsystem 53 and an exemplary series of computer implementedoperations thereof is shown by way of its associated web-browsergraphical user interface in FIG. 14 , and the flowchart of FIG. 11 . Theinterface shown in FIG. 14 is launched by suitable user selection ofassociated fields (1103), in response to which existing functions,processes, risks, controls, and rules are shown as user-selectableindicia 105, in this implementation displayed in a monitoring viewassociated with the illustrated screen shown in FIG. 14 of themonitoring subsystem user interface. The controls being executed bysystem 23 are continuously monitored in real time through such single,user-perceptible screen. As such, suitable programming may identify afailure in real time during execution of a control related task (1105)and thereafter generate an incident report accessible by incidentmanagement subsystem 47 (1107). Upon resolution of the incident,programming causes a restart of the control related task, preferably atan audit control point associated with the failure. Programming ofmonitoring subsystem 53 is thus capable of identifying scheduled,continuous, and real-time batches, tasks, and a history of taskexecutions associated with control mappings (1109, 1111) and necessarilyupdates the indicia in real-time, such as indicia 107. Through theinterface shown in FIG. 14 , task details may be retrieved by selectinguser-selectable fields 105. In this manner, controls are continuouslymonitored by monitoring subsystem 53 and its associated programming.

Incident management subsystem 47 permits management not only of manuallyentered incidents, but also of incidents generated by system tests andsystem operations described previously and related to the othersubsystems of system 23. One exemplary series of computer operations andassociated programming of incident management subsystem 47 is shown inFIG. 12 , and one exemplary user-perceptible screen of a user interfaceis shown in FIG. 16 . As with previous subsystems discussed herein,launching of the incident management subsystem 47 is preferablyaccomplished through user selection of the appropriate file from thesimultaneously displayed user-selectable fields for all subsystems(1201). In this implementation, the selection is facilitated by theuser-selectable menu of all subsystems shown on the left side of theuser-perceptible screen. After creation of any manual incidents andinput thereof into the system (1203), a list of incidents logged bycomputerized operations of monitoring subsystem 53 may be accessed (step1205). Linkages to the associated data logged by monitoring subsystem 53may be accessed and displayed as indicia 109 (1207). The user interfacelikewise has selectable fields for assigning the incident toinvestigation teams as a part of an investigation, such asuser-selectable field 111 (step 1209), and such assignment may likewiseassign a resolution group (step 1211), which may be entered and laterreviewed in user-modifiable indicia 113. Progress can be tracked byeither user entry or access to data on the system corresponding to thestart date of the associated incident investigation. Data incident filesmay be associated with the investigation and the system may includeprogramming to track open or closed status of investigations (1213).Suitable indicia 115 may be displayed corresponding to operations ofincident management subsystem 47, such as the incident or investigationstart and end dates and status of the investigations.

The incident management subsystem 47 may likewise generate emailnotifications or other notices to personnel (steps 1213, 1215), withprogramming factoring in the passage of time from the inputted startdate to the current date associated with the incident under managementby incident management system 47.

Referring generally to FIGS. 13-20 , programming subsystems for all ofthe environments, that is, development environment 27, run-timeenvironment 29, and management environment 31, are user accessiblethrough a thin client, such as an internet browser, screenshots ofassociated graphical user interfaces of which are shown in such figures.User-selectable fields which permit launching of the subsystemsdisclosed herein of all three environments are simultaneously displayedon the user-perceptible screens, in this case such simultaneous displaybeing in the form of a sidebar 85 comprised of user-selectable fieldsfor the various subsystems available in system 23.

Example embodiments are described herein with reference to blockdiagrams and/or flowchart illustrations of computer-implemented methods,apparatus (systems and/or devices) and/or computer program products. Itis understood that a block of the block diagrams and/or flowchartillustrations, and combinations of blocks in the block diagrams and/orflowchart illustrations, can be implemented by computer programinstructions that are performed by one or more computer circuits. Thesecomputer program instructions may be provided to a processor circuit ofa general purpose computer circuit, special purpose computer circuit,and/or other programmable data processing circuit to produce a machine,such that the instructions, which execute via the processor of thecomputer and/or other programmable data processing apparatus, transformand control transistors, values stored in memory locations, and otherhardware components within such circuitry to implement thefunctions/acts specified in the block diagrams and/or flowchart block orblocks, and thereby create means (functionality) and/or structure forimplementing the functions/acts specified in the block diagrams and/orflowchart block(s).

These computer program instructions may also be stored in a tangiblecomputer-readable medium that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture including instructions whichimplement the functions/acts specified in the block diagrams and/orflowchart block or blocks. Accordingly, embodiments of present inventiveconcepts may be embodied in hardware and/or in software (includingfirmware, resident software, micro-code, etc.) that runs on a processorsuch as a digital signal processor, which may collectively be referredto as “circuitry,” “a module” or variants thereof.

It should also be noted that in some alternate implementations, thefunctions/acts noted in the blocks may occur out of the order noted inthe flowcharts. For example, two blocks shown in succession may in factbe executed substantially concurrently or the blocks may sometimes beexecuted in the reverse order, depending upon the functionality/actsinvolved. Moreover, the functionality of a given block of the flowchartsand/or block diagrams may be separated into multiple blocks and/or thefunctionality of two or more blocks of the flowcharts and/or blockdiagrams may be at least partially integrated. Finally, other blocks maybe added/inserted between the blocks that are illustrated, and/orblocks/operations may be omitted without departing from the scope ofinventive concepts. Moreover, although some of the diagrams includearrows on communication paths to show a primary direction ofcommunication, it is to be understood that communication may occur inthe opposite direction to the depicted arrows.

It will be understood that although the terms first, second, third, etc.may be used herein to describe various elements/operations, theseelements/operations should not be limited by these terms. These termsare only used to distinguish one element/operation from anotherelement/operation. Thus a first element/operation in some embodimentscould be termed a second element/operation in other embodiments withoutdeparting from the teachings of present inventive concepts. The samereference numerals or the same reference designators denote the same orsimilar elements throughout the specification.

As used herein, the terms “comprise”, “comprising”, “comprises”,“include”, “including”, “includes”, “have”, “has”, “having”, or variantsthereof are open-ended, and include one or more stated features,integers, elements, steps, components or functions but does not precludethe presence or addition of one or more other features, integers,elements, steps, components, functions or groups thereof. Furthermore,as used herein, the common abbreviation “e.g.”, which derives from theLatin phrase “exempli gratia,” may be used to introduce or specify ageneral example or examples of a previously mentioned item, and is notintended to be limiting of such item. The common abbreviation “i.e.”,which derives from the Latin phrase “id est,” may be used to specify aparticular item from a more general recitation.

Although several embodiments of inventive concepts have been disclosedin the foregoing specification, it is understood that many modificationsand other embodiments of inventive concepts will come to mind to whichinventive concepts pertain, having the benefit of teachings presented inthe foregoing description and associated drawings. It is thus understoodthat inventive concepts are not limited to the specific embodimentsdisclosed hereinabove, and that many modifications and other embodimentsare intended to be included within the scope of the appended claims. Itis further envisioned that features from one embodiment may be combinedor used with the features from a different embodiment(s) describedherein. Moreover, although specific terms are employed herein, as wellas in the claims which follow, they are used only in a generic anddescriptive sense, and not for the purposes of limiting the describedinventive concepts, nor the claims which follow.

What is claimed is:
 1. A computer system for internal audit and internalcontrol management, the system comprising: a platform for integratedinternal audit and internal control management, the platform comprisinga development environment, a run-time environment, and a managementenvironment; a plurality of data sources stored in databases and relatedto auditable processes subject to the internal audit; a plurality ofrepositories storing data associated with controls and rules related tothe control management; a plurality of interconnected computersubsystems having programming routines executable in at least one of theenvironments, the computer subsystems comprising first, second, andthird sets of subsystems; wherein each of said subsystems for all ofsaid environments are user-accessible through a thin client comprisingan internet browser, the thin client having a graphical user interfacewith selectable fields corresponding to each of said subsystems of eachof said three environments simultaneously displayed on an associateduser-perceptible screen; wherein the first set of subsystems isexecutable in the development environment, the first set of subsystemscomprising a data on-boarder, connection adapters, and GRC forms;wherein the second set of subsystems is executable in the run-timeenvironment and comprises a data integration server; wherein the thirdset of subsystems is executable in the management environment andcomprises incident management, issue management, scheduling, monitoring,and security; a RESTful application programming interface generated by,and having user-selectable fields associated with, the first set ofsubsystems in the development environment; a plurality of dashboardsgenerated by, and having user-selectable fields associated with, thethird set of subsystems in the management environment; wherein thedashboards comprise a control monitoring scoreboard, the scoreboardsimultaneously displaying key performance indicators determined in realtime by the third set of subsystems of the management environment, thekey performance indicators comprising controls failed, related recordsscanned, tests performed, and associated risk scores, the foregoingdeterminations displayed on the scoreboard as user-perceptible indicia;the scoreboard having programming for displaying detail records ofrespective ones of the key performance indicators in response to userselection of an associated field on the scoreboard; wherein the dataon-boarder comprises programming capable of performing the followingcomputer-implemented steps in response to user input through the RESTfulapplication programming interface: create a first data flow mappingcorresponding to a first data source object to be on-boarded; edit asecond data flow mapping previously created by the data on-boarder, thesecond data flow mapping corresponding to a second data source object;drag and drop at least one of the data source objects to be on-boardedinto a first logical work space accessible from the RESTful applicationprogramming interface; select a predetermined connection for the droppedsource object from a plurality of the connections determined by theconnection adapters; generate a source qualifier and default selectquery for the dropped source object; develop and validate the data flowmappings using transformation objects selected from the group consistingof Joiner, Filter, Lookup, Router, Cache, Expression, andJAVA/Scala/Python/R transformations; connect to target definitions aftervalidation of the data flow mappings; execute the data flow mappings togenerate associated run statistics, and display in real-time firstindicia corresponding to the execution of the data flow mappings;wherein the steps of dragging and dropping and connecting to the targetdefinitions are executable in a manner agnostic to script languageassociated with the source object and the target definition.
 2. Thesystem of claim 1, wherein the data on-boarder subsystem consistsessentially of programming in a micro service architecture. 3.(canceled)
 4. The system of claim 1, wherein the control monitoringscoreboard comprises programming for displaying on a single,user-perceptible display screen indicia corresponding to performance ofthe controls being monitored by the system, the performance quantifiedby numbers determined for predetermined, corresponding periods of time,the displayed indicia corresponding to data determined by the controlmonitor and comprising functions, processes, risks, controls, completedand failed monitoring, incidents by status, batches executed by status,tasks executed by status, and issues by status.
 5. The system of claim1, wherein the data on-boarder comprises programming, which, whenexecuted, configures the data source objects into logical columns in thedata flow mapping, the programming displaying indicia corresponding tothe logical columns in the RESTful API, and further includingprogramming to access data records associated with the data sourceobjects corresponding to the logical columns through pipelined linkages.6. The system of claim 1, wherein the connection adaptors comprise: aconnections interface; programming executable in response to userselection through the connections interface and capable of performing,when executed, the steps of: access the data sources, wherein the datasources are heterogeneous and comprise relational data sources,non-relational data sources, data related to ERP applications, datarelated to non-ERP applications, discrete ones of the data sourcesformatted in conformance with respective industry standards; wherein thestep of drag and drop of the data source object is performed byprogramming to receive any of the data source objects from theheterogeneous data sources, irrespective of the respective industrystandards to which the data source object conforms and to place the datasource objects into the first logical work space by means of one of theconnection adaptors corresponding to a respective one of theheterogeneous data sources.
 7. The system of claim 1, wherein thescheduling subsystem comprises programming, when executed by the user,capable of performing the following steps: through a singleuser-perceptible display screen, enabling selection and scheduling ofapplications, batches, and tasks, the programming permitting schedulingin real time, the programming being capable of scheduling applications,batches, and tasks in any of the time intervals comprising continuous,intermittent, and one-time; the programming determining the results ofthe scheduling and displaying and updating indicia corresponding to theresults of the scheduling.
 8. The system of claim 1, wherein the dataon-boarder has programming capable of generating data flow mappingmetadata, the programming storing the metadata in one of the databasesaccessible to the data integration server, the programming generatingeach of the data flow mappings in response to receiving user-input in asingle, domain-specific programming language selected from the groupconsisting of JAVA, Python, and Scala.
 9. The system of claim 1, whereinthe monitoring system comprises monitoring programming to continuouslymonitor the controls in real-time through a single, user-perceptiblemonitor user interface, the monitoring programming, when executed,capable of performing the following steps: identify in real-time afailure during execution of a control-related task; generate an incidentreport accessible by the incident management system; upon resolution ofthe incident, cause a restart of the control-related task at an auditcontrol point associated with the failure; wherein the monitoringprogram is capable of: identifying scheduled, continuous, and real-timebatches, tasks, and a history of task executions; displayingcorresponding indicia on the monitor user interface in at least one of amonitoring view and a task view; updating the indicia in real-time, theindicia having user-selectable fields associated therewith; andretrieving task details in response to user selection, whereby thecontrols are continuously monitored by the monitoring programming. 10.The system of claim 1, wherein the GRC forms subsystem comprisesprogramming, when executed in response to user selection, capable ofperforming the steps of: launch a GRC forms user interface; access datacorresponding to controls and rules from the controls and rulesrepositories, respectively, to structure discrete ones of the rules intoat least one corresponding control to create entries into a GRC form;validate operation of the entries with selected ones of the dataobjects; if the validation is successful, generate a corresponding newor updated one of the connection adapters; and link the GRC form to therules repository.
 11. A computer-implemented method of internal controlmanagement, comprising: providing a plurality of dashboards generatedby, and having user-selectable fields associated with the internalcontrol management, one of the dashboards comprising a controlmonitoring scoreboard; simultaneously displaying on the scoreboard keyperformance indicators determined in real time, the key performanceindicators comprising controls failed, related records scanned, testsperformed, and associated risk scores; displaying the foregoingdeterminations on the scoreboard as user-perceptible indicia; displayingdetail records of respective ones of the key performance indicators inresponse to user selection of an associated field on the scoreboard;on-boarding data by performing the following computer-implemented stepsin response to user input through a RESTful application programminginterface: at least one of creating a first data flow mappingcorresponding to a first data source programming interface source objectto be on-boarded and editing a previously created, second data flowmapping corresponding to a second data source object; dragging anddropping at least one of the data source objects to be on-boarded into afirst logical work space accessible from the RESTful applicationprogramming interface; selecting a predetermined connection for thedropped data source object from a plurality of the connections; andgenerating a source qualifier and default select query for the droppeddata source object; executing the data flow mappings to generateassociated run statistics, and displaying in real-time first indiciacorresponding to the execution of the data flow mappings; wherein thesteps of creating the first data flow mapping and editing the seconddata flow mapping comprise: developing and validating the data flowmappings using transformation objects selected from the group consistingof Joiner, Filter, Lookup, Router, Cache, Expression, andJAVA/Scala/Python/R transformations and connecting to target definitionsafter validation of the data flow mappings; wherein the steps ofdragging and dropping and connecting to the target definitions areexecutable in a manner agnostic to script language associated with thesource object and the target definition.
 12. The method of claim 11,further comprising the steps of displaying indicia on a single,user-perceptible display screen, the indicia corresponding toperformance of the controls being monitored by the system, theperformance quantified by numbers determined for predetermined,corresponding periods of time, the displayed indicia corresponding todata determined by the control monitor, the quantitative data comprisingfunctions, processes, risks, controls, completed and failed monitoring,,incidents by status, batches executed by status, tasks executed bystatus, and issues by status.
 13. The method of claim 11, furthercomprising the steps of configuring the data source objects into logicalcolumns in the data flow mapping, displaying indicia corresponding tothe logical columns in the RESTful API, and accessing data recordsassociated with the data source objects corresponding to the logicalcolumns through pipelined linkages.
 14. The method of claim 11, furthercomprising the steps of: providing a connections interface to accessdata sources, wherein the data sources are heterogeneous and compriserelational data sources, non-relational data sources, data related toERP applications, data related to non-ERP applications, discrete ones ofthe data sources formatted in conformance with respective industrystandards; wherein the step of drag and drop of the data source objectis performed by programming to receive any of the data source objectsfrom the heterogeneous data sources, irrespective of the respectiveindustry standards to which the data source object conforms and to placethe data source objects into the first logical work space by means ofrespective ones of the connection adaptors corresponding to a respectiveone of the heterogeneous data sources.
 15. The method of claim 11,further comprising the steps of: enabling selection and scheduling ofapplications, batches, and tasks in real time and in any of the timeintervals comprising continuous, intermittent, and one-time; determiningthe results of the scheduling and displaying and updating indiciacorresponding to the results of the scheduling through a single,user-perceptible display screen.
 16. The method of claim 11, wherein thestep of on-boarding comprises generating data flow mapping metadata, thegeneration of metadata for a plurality of the data flow mappingsperformed by instructions in a plurality of domain-specific programminglanguage selected from the group consisting of JAVA, Python, and Scala.17. The method of claim 11, comprising the steps of: continuouslymonitoring the controls in real-time through a single, user-perceptiblemonitor user interface; identifying in real-time a failure duringexecution of a control-related task; generating an incident report inuser-perceptible form; and upon resolution of the incident, causing arestart of the control-related task at an audit control point associatedwith the failure.
 18. The method of claim 11, further comprising thesteps of: identifying scheduled, continuous, and real-time batches,tasks, and a history of task executions; displaying in user-perceptibleform indicia corresponding to the batches and tasks; updating theindicia in real-time to continuously monitor the controls, the indiciahaving user-selectable fields associated therewith.
 19. The method ofclaim 11, further comprising the steps of: launching a GRC forms userinterface; accessing data corresponding to controls and rules tostructure discrete ones of the rules into at least one correspondingcontrol to create entries into a GRC form; validating operation of theentries with selected ones of the data objects; if the validation issuccessful, generating a corresponding connection adapters; and linkingthe GRC form to a rules repository.